Vulnerabilities > Contest Gallery
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-12-26 | CVE-2022-4165 | Unspecified vulnerability in Contest-Gallery Contest Gallery The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_order POST parameter before concatenating it to an SQL query in order-custom-fields-with-and-without-search.php. | 6.5 |
| 2022-12-26 | CVE-2022-4166 | Unspecified vulnerability in Contest-Gallery Contest Gallery The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the addCountS POST parameter before concatenating it to an SQL query in 4_activate.php. | 6.5 |
| 2022-12-06 | CVE-2022-45848 | Cross-site Scripting vulnerability in Contest-Gallery Contest Gallery Unauth. | 6.1 |
| 2022-08-23 | CVE-2022-36394 | SQL Injection vulnerability in Contest-Gallery Contest Gallery Authenticated (author+) SQL Injection (SQLi) vulnerability in Contest Gallery plugin <= 17.0.4 at WordPress. | 8.8 |
| 2022-04-18 | CVE-2022-27853 | Cross-site Scripting vulnerability in Contest-Gallery Contest Gallery Authenticated (author or higher role) Stored Cross-Site Scripting (XSS) in Contest Gallery (WordPress plugin) <= 13.1.0.9 | 4.8 |
| 2021-11-29 | CVE-2021-24915 | SQL Injection vulnerability in Contest Gallery Contest Gallery The Contest Gallery WordPress plugin before 13.1.0.6 does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter before using it in a SQL statement when exporting users from a gallery, which could allow unauthenticated to perform SQL injections attacks, as well as get the list of all users registered on the blog, including their username and email address | 9.8 |
| 2019-07-05 | CVE-2019-5974 | Cross-Site Request Forgery (CSRF) vulnerability in Contest-Gallery Contest Gallery Cross-site request forgery (CSRF) vulnerability in Contest Gallery versions prior to 10.4.5 allows remote attackers to hijack the authentication of administrators via unspecified vectors. | 8.8 |